Part 1: Why would anyone want to hack our factory?

Remarks on cyber security we hear on industrial sites

“Why would anyone want to hack our factory? We're not a nuclear power plant. Besides, our systems are segregated from the Internet, so we have nothing to worry about.” In this first blog of two we are going to respond to the most common remarks, which we regularly receive from personnel on site. We will provide new insights into the risks that are specific to ICS systems and display the level of ICS security awareness on the sites we have visited.

While we’re executing security assessments on industrial sites like a chemical factory or a car production facility, the remarks we receive are not uncommon. Whereas the security of IT systems has gained a lot of awareness in the past years, the interest in security of Operational Technology (OT) systems has only started getting some traction. Furthermore, awareness of OT security is slowly catching up.

Part 2: Why would anyone want to hack our factory?

“No one is interested in targeting us”

For a lot of industrial sites, this statement might be completely true. It could be the case that your particular factory is not a likely target for a cyber-attack, unlike some kinds of chemical factories or power plants which are a common target of environmental activists. Other possible threat actors could be environmental activists, competing companies, a disgruntled employee or nation states.

However, one important aspect that is often forgotten in this line of thought, is that not all cyber incidents are a result of a group of hackers actively targeting your company. Malware infections often happen by accident.

In June 2017 shipping terminals across the world began to shut down after a malware infection was spreading throughout the systems of a large container shipping company. The malware behaved like ransomware, software that encrypts all files on a system to make it unusable until the victim paid a ransom. However, in this case, paying the ransom wouldn’t work. The malware was simply designed to destroy. Moreover, the shipping company was collateral damage. The primary targets were companies in the Ukraine. The delivery method was Ukrainian accounting software, of which the company had an instance running in a small office in the Ukraine.

Accidental malware infection is a very important ‘attack’-angle to keep in mind and will come back in this blog while we’re discussing other common topics. Additionally, having a proper threat intelligence program in place will help identify the actual risks involved with targeted attacks, or other risks focused on one specific company, industry or location.

“Security does not increase our revenue”

When running the risk of not reaching production targets at the end of the month, it is understandable that your primary focus won’t be cyber security of production systems.

However, cyber security can help increase profit in the long run. We see an increasing trend of connecting existing ICS systems to the Internet and the use of so-called Industrial Internet of Things (IIoT), often referred to as Industry 4.0. Big data analysis can provide very useful insights in the production process and identify possibilities for optimisation. Production processes that don’t have to run at full capacity 24/7 can be up- or downscaled with the fluctuations of influx of raw materials or energy prices. Without increased connectivity these innovations won’t be possible.

When ICS systems are implemented and maintained in a secure way, cyber security can be an enabler that opens the door to many profitable new developments and to serve clients in a better way. This could be positioned as a commercial advantage. Without proper security it would not be possible to stay ahead of the competition without running unacceptable risks at the same time.

More information

If you would like to know more on technical industrial cyber security, such as the possibilities and challenges involved in using virtualisation in OT environments, take a look at Dima van de Wouw’s blog post. For a higher level strategic view, on the needs for a security officer in industrial environments, take a look at Michel van Veen’s blog post.

Contact

Senior Consultant

Colin is a senior consultant at Deloitte Cyber Risk Services working on a variety of security tests in multiple industries. He has worked on penetration tests on mobile and web applications, infrastru... Meer

Manager

At Deloitte The Netherlands I am a manager within the ICS Security team. I have a background in Electrical Engineering (BSc), Science Communication (MSc.), 3,5 years of experience in Ethical Hacking, ... Meer

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see About Deloitte for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

In The Netherlands the services are provided by independent subsidiaries or affiliates of Deloitte Holding B.V., an entity which is registered with the trade register in The Netherlands under number 40346342